Simple Comments is a security plugin that blocks spambots from forms, and hackbots from forms.
How it Works
Simple Comments prevents spambots from sending form data directly to the wp-comments-post.php file, and it also secures the comment form of a theme from spam bots that use automated methods to fill out and submit the form. A similar approach is used to secure non-comment forms from hackbots. To understand how Simple Comments works from a technical perspective, the code from the plugin can better explain.
Comment Form Security Options
There are many options that can be applied to the comment form, most of which are enabled by default to allow the plugin to work effectively after it is installed. Spambot protection for comment forms is on by default, and cannot be turned off.
- Spambot Stats – Displays the number of blocked spambots on the comment form.
- Remove Comment HTML – This strips out any HTML tags that are used in a comment. Spammers like to create links to web sites in comments. With this option on, links are jut text, not link, so a spam link won’t hurt the Search Engine Optimization of your blog. Allowing HTML into comments was shown to be a security risk, which this option eliminates entirely.
- Remove URL Field – Standard comment forms have a form field that allows a visitor to provide their web site address, which is the first form field spammers target to get a link to their desired web site. This hurts your SEO, and could lead your readers to visit a web site that damages their computer, and your reputation. With this option on, the web site address form field is removed from the comment form.
- Remove Author Link – This option is similar to the URL Field above.
- Close Pingbacks – Pingbacks, aka trackbacks, are 99.9% spam, and they hurt a blog’s SEO. A pingback puts a link to another web site on your blog post, which provides nothing useful for your readers, and only clutters up your comment area, so this option is on by default.
- Generate Comment Form – Some very old, or very broken themes, might need help providing a proper comment form. This option will generate a proper comment form, and a comment list, that replaces those provided by your theme.
- Nonce Security – A nonce is a security method provided by your WordPress installation. It can provide additional security. On some hosting environments nonces can be broken, causing a nonce error to be displayed by Simple Comments. To fix this, turn this option off, or changes web hosts, whichever is easiest for you.
- Store Spam – Simple Comments default behavior is to block spam from every reaching your spam folder. If you want to see what is being blocked you can turn this option on. Your blog will perform better with this option off.
The Forms Security settings apply to non-comment forms. The forms Simple Comments protects will only appear on this list if they are available. For example, if Gravity Forms is not activated, it will not appear on the list.
- WordPress Login Form – In 2013 there was a hackbot attack on WordPress blogs that left hundreds of thousands of WordPress installations infected. The methods used were brute force, and dictionary. The hackbot just kept trying different usernames and passwords until it got it. Simple Comments doesn’t allow even one attempt to get through. With this option on you will have to manually type in your username and password. If your web browser automatically fills in this information, delete it, and fill it in manually. It’s a small annoyance to stay protected from an infected WordPress installation.
- WordPress User Registration Form – Hackbots register bogus account when the “Anyone can Register” option is on under Settings > General > Membership. This allows a hackbot a foot-in-the-door of your security, allowing hackbots to do a lot, including to bypass Simple Comments. Comments left by logged in users are allowed as trusted by Simple Comments.
- Gravity Forms – Any type of form can be targeted by a spambot, including the most common contact forms. Gravity Forms has honeypot protection as a built-in option, but often times that is not enough protection.
- Contact Form 7 – Contact Form 7 relies on Akismet, which goes through splurges of missed spam that can be quite alarming. This can be remedied with Simple Comments.
- WooCommerce 2.1 Login Form – Simple Comments is the only hackbot protection available for WooCommerce.
- WooCommerce 2.1 Registration Form – Simple Comments is the only hackbot protection available for WooCommerce.
The WooCommerce Product Review form, that appears on product pages, is protected from spambots automatically.
The WooCommerce Product Enquiry Form extension, is also protected automatically from spambots if it is activated.
Gravity Forms Security
To apply the Simple Comments security to a Gravity Forms form, edit the form, select Simple Comments, click on the Security Fields button, click Update Form, and you’re done.
Contact Form 7 Security
To apply the Simple Comments security to Contact Form 7, edit the form. and elect Simple Comments Security from the Generate Tag pull down menu.
Select the newly generated tag, and paste it into the form, then click the Save button, and you’re done.
Junk Cleanup can perform automated tasks to keep your blog neat and tidy.
- Delete Spam – If you turn on the Store Spam option, the spam folder will be cleaned every hour.
- Delete Trackbacks – If the Close Pingbacks option is on, this won’t be needed, but everyone has different needs, so this option is here if you need it.
- Delete Unapproved – Some business blogs don’t monitor comments, but still get them, so this option can clean out those unapproved comments automatically.
Spam IP Address Blocklist
All comments have an IP address that can be used here to block it. Some spammers will go to the trouble of leaving a spam comment manually, but that is easily blocked with the IP address blocklist.
The IP address blocklist applies to all forms protected by Simple Comments. For example, if a certain IP address keeps registering bogus accounts, that IP address can be blocked, which adds to the security already provided.
Comment Form Message
This option can be used for text, HTML, and CSS, to style a message that will appear above the comment textarea. This option can also be used for ads.